Support Forum
Support Forum
Offline
I have the backend walled off, so that members cannot get in there to screw around with stuff. Some plugins like Jetpack allow their menus to show to subscribers, etc., so would just as soon not deal with the inevitable meddler. The Profile is still able to be modified through the SP screens, so there is no loss of functionality, as that is all that having backend access should really should do.
The question:
When a user signs up, WP generates a strong PW. That's good. But I'm seeing a number of members immediately initiating a PW change, as opposed to just storing the strong one issued in their browser's PW vault. Some of them are known to be, er.., relatively clueless, so are most probably setting a dictionary word or such. The backend being (I think) totally walled off adds a level of security. The members being only subscribers to WP adds its own level so, when I think about it in those terms, it doesn't seem to be a security issue. However, there are some people out there who are very creative that can brute force a PW in a matter of minutes. Relying on that which "seems" can be one's undoing.
I've tried a number of WP plugins that force strong PWs, and they work quite well in the backend but don't seem to transfer this functionality into the SP Profile screen. I can set a PW as lame as I like and it accepts it. Not understanding exactly why, but it would appear that a section of WP code isn't being exposed to SP.
Thoughts?
Offline
We do just use the standard WP password stuff... unfortunately any plugins you add wont be using wp core code... they will be hooking into the wp password form and doing stuff themselves outside of wp core... if you dont have your plugin, you can set a simple password too...
the wp profile and password fields have a bunch of other stuff on them too - and thus differ from our password form... might be interesting to know how they were hooking into the wp process... ie, specfic hooks or actions or ids or what... knowing that, we might be able to replicate or allow similar behavior - though the ajax nature of our profile forms might cause some issues too...
Visit Cruise Talk Central and Mr Papa's World
Offline
Mr Papa said
We do just use the standard WP password stuff... unfortunately any plugins you add wont be using wp core code... they will be hooking into the wp password form and doing stuff themselves outside of wp core... if you dont have your plugin, you can set a simple password too...
True, but it does have the strength meter to inform users that their choice is a Bad Thing.
the wp profile and password fields have a bunch of other stuff on them too - and thus differ from our password form... might be interesting to know how they were hooking into the wp process... ie, specfic hooks or actions or ids or what... knowing that, we might be able to replicate or allow similar behavior - though the ajax nature of our profile forms might cause some issues too...
I'll look into those. The plugin I'm using for strength is Force Strong Passwords. If this could somehow be integrated into the SP Profile edit screen, that would be great. The plugin I'm using as a companion to this is Simple User Password Generator which generates WP passwords at the strongest strength and will also email the PW to the user if desired.
I suppose that I could just eliminate the password fields in SP Profile and, when a member forgets theirs, generate one manually for them and email it using that plugin.
Thanks for the thoughts.
Offline
I have made a note of this and can try to check some of the plugins... Our password stuff existed before wp had the strength meter and stuff, so it might be time to get back in sync... there is an open ticket for it...
Visit Cruise Talk Central and Mr Papa's World
All RSS1 Guest(s)